Last updated 28th July, 2022

DRAFT: SKA IAM Privacy Notice

The IAM (Identity and Access Manager) provides a prototype Authentication and Authorization Infrastructure (AAI) solution for the Square Kilometre Array (SKA) Regional Centre Network (SRCNet). The IAM acts as a proxy service, allowing SKA collaborators access to other SKA services and resources.

General Principles.

SKA considers it important to process only such personal data as is required for the proper functioning of SKA services. The personal data detailed below is collected for the purposes of identification, authentication, authorisation, access control, accounting, billing, resource management and information security. The legal basis for processing this data is for the purposes of the legitimate interests pursued by SKA and the science communities that SKA supports in order to provide IT services to its users.

Personal Information Collected and How We Use It.

1) Registration:

When you register with IRIS IAM to use IRIS services, the following data may be collected and associated with your account:

  • Personal Name
  • Professional email address
  • Employing institute
  • Science community affiliation and validity dates
  • Science community groups and roles
  • Professional address and telephone number
  • A non-reassigned, unique personal identifier - for example, the Subject Distinguished Name (DN) from your personal certificate

This data is necessary for security and accounting purposes to uniquely and properly identify and authenticate you when creating an account for subsequently accessing SKA services.

2) Access:

When you access SKA services, log records of your access to and actions on SKA resources are created. These records may contain:

  • your unique identifier (as described in 1), above)
  • your science community group(s) and role(s)
  • the network (IP) address from which you access the services
  • the date and time of access
  • details of actions you perform

In combination with the registration data above, these log records are necessary to meet the reliability and security requirements of SKA services and for resource management purposes. This includes authentication, authorisation, accounting, security incident handling, assisting in the analysis of reported problems and for contacting you if a problem is identified with your account.

For how long will your Personal Data be kept?

Access logs and accounting records are kept for up to 18 months before being anonymised or deleted.
SKA will keep your user registration data for as long as you remain a registered member of your Science Community plus the maximum accounting record retention period. In order to enable SKA to support the user employment life cycle, e.g. to confirm your identity when you return after a period of absence, and unless you explicitly request otherwise, SKA may keep your registration data for up to 36 months after you leave.

How your personal data is protected

The SKA IAM is committed to following the REFEDS Data Protection Code of Conduct. Your personal data will be protected according to the Code of Conduct for Service Providers, a common standard for the research and higher education sector to protect your privacy.
Your personal data is protected against unauthorised disclosure, modification or deletion, by technical and organisational measures, including during transfer as described below.

Who has access to your personal data?

SKA IAM will make your personal data accessible only to those authorised by SKA, and only for the purposes described above.

To whom do we transfer your data?

Your personal data may be transferred only to the following parties, and only as far as is necessary to provide the SKA services that you make use of:

  • SKA participants where necessary for the provisioning, operation and security of SKA services
  • trusted third parties for the purposes of security incident response

Other transfers are not allowed except where legally required.

What rights do you have related to our processing of your personal data?

You have the right to access a copy of the personal data we hold about you and you may request that we:

  • rectify them if inaccurate
  • cease their processing
  • delete them.

If your request is not admissible, we will write to tell you of this including the reasons why.
Changes to or removal of personal data may limit your access to IRIS services.
Please make your request using the contact details given below.

What legal basis do we use for processing your personal data?

We use legitimate interest as the legal basis for processing data as it is reasonable to expect that we process such data for the purpose of providing you with SKA services in a safe and secure manner.

Who to contact if you have a query about this privacy notice?

Please e-mail iris-iam-support@gridpp.rl.ac.uk, with subject "ATTN: Privacy Policy"
The SKA IAM is operated by the Science and Technology Facilities Council which is part of UK Research and Innovation (UKRI), at:

SKA IAM Team, Scientific Computing Dept., R89
Science and Technology Facilities Council
Rutherford Appleton Laboratory
Harwell Campus, Didcot OX11 0QX
United Kingdom

How to complain to a supervisory authority.

Details of the UKRI Data Protection Officer and your right to raise issues with the UK Information Commissioner’s Office are available at: https://www.ukri.org/about-us/privacy-notice/.
The applicable jurisdiction for SKA IAM is the United Kingdom of Great Britain and Northern Ireland (GB-UKM).